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Abstract 

The  idea  of  successively  refining  an  abstract  specification  until  it  contains  enough  details  to  suggest 
an  implementation  has  been  investigated  by  numerous  researchers.  The  emphasis  to  date  has  been  on 
techniques  that,  unfortunately,  lead  to  a  large  amount  of  manual  formal  labor  for  each  refinement  step. 
With  such  techniques,  both  the  cost  and  the  possibility  of  errors  arising  in  formal  manipulation  are  high. 
Using  a  theorem  prover  can  reduce  the  number  of  manipulation  errors,  but,  given  current  technology, 
the  amount  of  labor  is  still  daunting.  This  research  explores  an  alternative  solution  to  the  refinement 
problem,  namely  the  use  of  syntactic  transformations  to  realize  each  refinement  step.  We  reduce  formal 
labor  by  employing  automatic  transformations  that  guarantee  the  preservation  of  desirable  properties 
—  e.g.,  deadlock-freedom,  safety,  liveness.  Automatic  transformations  are  particularly  appealing  for 
the  development  of  large,  complex  distributed  systems,  where  a  manual  approach  to  refinement  would 
be  prohibitively  expensive.  Distributed  computations  are,  by  nature,  reactive  and  concurrent,  so  their 
correctness  cannot  be  specified  as  a  simple  functional  relationship  between  inputs  and  outputs.  Instead, 
specifications  must  describe  the  time-varying  behavior  of  the  system.  Further  difficulty  is  caused  by 
the  fact  that  such  important  characteristics  of  distribution  as  deadlock-freedom  are  global  properties 
that  cannot  be  achieved  through  considering  local  structures  only.  Transformations  generally  must 
encompass  the  entire  system.  This  paper  presents  three  syntactic  transformations  that  can  be  used  to 
replace  an  atomic  action  in  a  concurrent  program  by  a  program  fragment  The  work  presented  here  is 
an  extension  and  continuation  of  the  transformations  work  presented  in  [Attie  et.  al.  96].  We  give  the 
applicability  conditions  for  our  transformations,  and  show  that  deadlock-freedom  and  certain  liveness 
properties  are  preserved  when  the  transformations  are  applied  in  a  context  where  the  applicability 
conditions  axe  satisfied. 
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1  Introduction 


Formal  program  verification  is  widely  accepted  as  a  means  of  guaranteeing  the  correctness  of  con¬ 
current  programs  [Hoare  69,  Francez  92,  Lamport  80,  Vardi  87].  The  practical  utility  of  formal 
verification  is  limited  by  numerous  factors  —  for  example,  the  large  amount  of  manual  labor  re¬ 
quired,  the  possibility  of  proof  errors,  the  lack  of  personnel  trained  in  proof  techniques,  and  so 
on.  It  is  also  clear  that  post-development  verification  alone  does  not  provide  a  systematic  soft¬ 
ware  development  process.  Successive  refinement  is  an  alternative  approach  for  producing  correct 
concurrent  programs;  start  with  an  abstract  specification  and  incrementally  refine  it  to  a  stage 
where  implementation  becomes  relatively  straightforward.  Refinement  is  not  a  new  idea,  of  course, 
but  most  of  the  techniques  proposed  to  date  (for  example,  see  [Back  et.  al.  83,  Back  et.  al.  85, 
Chandy  et.  al.  88,  Ramesh  et.  al.  87])  require  large  amounts  of  manual  formal  labor  for  each 
refinement  step.  Even  methodologies  based  on  automatic  theorem  proving  [Manna  et.  al.  94, 
Constable  et.  al.  89,  Cleaveland  et.  al.  96]  require  user  intervention,  either  to  select  the  rule  of 
inference  used  to  generate  the  next  step  of  a  proof  [Cleaveland  et.  al.  96],  or  to  supply  invariants 
and/or  correct  automatically  generated  invariants  that  are  not  “inductive,”  i.e.,  that  cannot  be 
proven  to  be  invariants  in  the  deductive  system  being  used  [Manna  et.  al.  94].  Other  approaches 
[Aceto  92,  van  Glabeek  90,  Czaja  et.  al.  91]  address  the  issue  of  which  equivalence  relations  are 
preserved  by  refinement.  In  other  words,  if  P  and  Q  are  programs  such  that  P  is  “bisimilar”  to  Q 
(under  some  notion  of  bisimulation,  see  [Baeten  et.  al.  90,  Milner  89]),  then  ref{P)  will  be  bisim- 
ilax  to  ref{Q)  under  this  same  bisimulation  notion,  where  ref{P)  and  ref{Q)  are  “corresponding” 
refinements  of  P,  Q,  i.e.,  refinements,  that  refine  the  same  action  of  P,  Q  in  the  same  way.  While 
such  approaches  provide  a  nice  theoretical  foundation,  they  do  not  directly  address  the  central 
concern,  namely  the  establishment  of  a  relationship  between  a  program  and  its  refinement,  i.e., 
between  P  and  re/(P). 

Central  to  om  approach  is  the  concept  of  correctness-preserving  syntactic  transformations.  Such 
transformations  are  mechanizable  and,  therefore,  do  not  involve  significant  amounts  of  manual 
labor.  Using  this  approach,  the  process  of  development  may  be  viewed  as  the  human-assisted  high- 
level  compilation  of  a  specification  into  code.  Furthermore,  by  avoiding  proof-based  methods,  we 
obviate  the  need  to  formulate  (usually)  complicated  invariants,  a  difficult  task  at  best,  even  with 
the  aid  of  automated  tools. 

In  the  foreseeable  future,  human  creativity  will  remain  essential  for  choosing  an  appropriate 
transformation  to  apply  at  each  stage.  But  verifying  that  a  transformation  preserves  desired  proper¬ 
ties  is  unnecessary,  in  our  approach,  because  this  is  guaranteed  by  the  fact  that  the  transformations 
are  correctness-preserving. 

This  paper  presents  transformations  that  decompose  an  action  into  a  sequences  and/ or  choices 
(possibly  nested)  of  “smaller”  actions.  These  transformations  are  sound,  in  that  they  preserve 
certain  correctness  properties  of  concurrent  programs  (i.e.,  if  the  initial  program  has  the  property, 
then  so  will  the  transformed  program).  The  correctness  properties  that  are  preserved  are  deadlock- 
freedom  and  temporal  leads-to  (action  a  leads-to  action  b  iff  whenever  a  is  executed,  b  is  guaranteed 
to  be  subsequently  executed).  Formal  proofs  of  soundness  are  given,  as  well  as  an  example  of 
refinement  using  the  transformations. 
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2  Notation,  Syntax,  and  Semantics 


A  program  is  the  composition  of  a  fixed  set  of  sequential  processes  executing  concurrently.  We 
use  the  nondeterministic  interleaving  model  of  concurrency.  That  is,  we  view  concurrency  as  the 
nondeterministic  interleaving  of  events.  An  event  is  the  atomic  (i.e.,  indivisible)  execution  of  an 
action.  We  use  ; ,  ||  ,  ||  to  denote  sequence,  choice,  and  parallel  composition,  respectively.  The 
semantics  of  these  operators  is  similar  to  that  given  in  CSP  [Hoare  85].  To  model  state  transitions, 
we  employ  the  concept  of  a  labeled  transition  system,  as  used  in  [Milner  89].  A  will  denote  the 
transition  relation  induced  by  action,  a.  The  formal  meaning  of  ; ,  |  ,  ||,  A  is  given  below. 

Definition  1  {Action) 

An  action,  a  consists  of  a  character  string,  (i.e,,  an  identifier)  drawn  from  some  set.  A,  of  identi¬ 
fiers. 

We  use  lower-case  letters  towards  the  beginning  of  the  alphabet  to  denote  actions. 

Definition  2  {Action  Expression) 

An  action  expression  E  is  a  finite  expression  given  by  the  following  BNF  grammar: 
<action^expression>  ::= 

<action-expression>  []  <action^expression>  \ 

<action-expression>  ;  <action.expression>  j 
(<action.expression>)  \ 

<action>  j  £  1  0 

E,  F,  G,  H  range  over  the  set  of  action  expressions.  We  make  the  convention  that  ;  has  higher 
binding  power  than  []  ,  so  that  F;  F  [  G  denotes  (F;  F)  |  G.  Intuitively,  F;  F  means  execute  F 
and  then  execute  F,  while  F  ||  F  means  execute  either  F  or  F.  [is  commutative,  and  |  , ;  are 
both  associative. 

0,  (“Stop”),  is  the  identity  element  of  ||  ,  and  e  (’’Skip”),  is  the  identity  element  of ;.  They  obey 
the  following  axioms:  0  |  A  =  A,  A  J  0  =  A,  A;  £  =  A,  e;  A  =  A.  We  define  the  relation  of  equality 
(=)  among  action  expressions  as  follows.  F  =  F  iff  one  can  be  obtained  from  the  other  by  a  finite 
number  of  any  of  the  following:  1)  application  of  the  above  axioms  for  0  and  £,  2)  application  of  the 
commutativity  property  of  |  or  the  associativity  property  of  [  and  and  3)  adding/removing 
parentheses  in  accordance  with  the  precedence  of  ;  over  |  . 

We  define  aF,  the  alphabet  of  action  expression  F,  as  follows. 

Definition  3  {Alphabet) 

The  alphabet  of  an  action  expression  is  given  as  follows : 
alphabet{a)  =  {a} 

alphabet{E  J  F)  =  alphabet{E)  U  alphabet{F) 
alphabet{E;  F)  =  alphabet{E)  U  alphabet{F) 

Definition  4  {Sequential  Process) 

A  sequential  process  Pi  consists  of  a  process  body  and  a  process  alphabet.  The  body  of  process  Pi, 
body{Pi),  is  an  expression  of  the  form  Fi\^Ei  where  Fi,Ei  are  action  expressions.  The  alphabet  of 
process  Pi,  alphabet{Pi) ,  is  defined  to  be  a  set  of  action  names.  The  process  alphabet  must  contain 
alphabet{Fi)  U  alphabet{Ei) . 
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Note  that  this  definition  extends  the  definition  of  “alphabet”  to  processes.  We  have  also  introduced 
which  denotes  infinite  iteration.  We  extend  =  to  process  bodies  in  a  straightforward  manner. 
If  body{Pi)  =  Fi\  and  body{Pj)  =  Fj;  then  body{Pi)  =  body{Pj)  iff  Fi  =  Fj  and  Ei  =  Ej, 
Finally,  Pi  =  Pj  iff  alphabet{Pi)  =  alphabet{Pj)  and  body{Pi)  =  body{Pj).  (Note  that  when  we 
write  alphabet{Pi)  =  alphabet{Pj),  the  =  symbol  denotes  standard  set-theoretic  equality,  because 
alphabets  are  sets.) 

Definition  5  {Program) 

A  program  P  is  the  parallel  composition  of  one  or  more  sequential  processes;  i.e.,  P  =  {\\  i  G  (p  :  Pi), 
where  ip  is  some  suitable  index  set.  Also,  alphabet{P)  =  (Ui  E  (p  :  alphabet{Pi)) . 

II  is  commutative  and  associative,  which  justifies  the  index  notation  \\i  €  ip  introduced  in  the  above 
definition.  For  sake  of  simplicity,  we  assume  that  all  variables  in  a  program  are  uniquely  named. 
We  extend  =  to  programs  in  the  expected  manner:  {\\  i  G  ip  :  Pi)  =  {\\  i  £  :  Qi)  iS  ip  =  'tp  and, 

for  all  i  Gip,Pi  —  Qi- 

Definition  6  {Participant  Set  PAp) 

The  participant  set  PAp  {a)  of  action  a  is  given  by: 

PAp  {a)  =  {^  I  a  €  alphabet{Pi)} 

PAp  {a)  is  the  set  of  processes  within  program  P  that  jointly  and  synchronously  participate  in 
the  execution  of  action  a.  If  |PAp(a)|  >  1  then  a  is  a  multiparty  interaction  of  program  P.  If 
|PAp(a)|  =  1,  then  a  is  a  local  action  of  some  process  Pi  (namely  the  Pi  such  that  a  G  alphabet{Pi)) 
in  program  P. 

2.1  Operational  Semantics 

The  operational  semantics  of  a  program  P  is  defined  by  giving  the  transitions  that  the  execution  of 
each  action  a  in  alphabet{P)  can  generate.  Our  definition  proceeds  bottom  up,  defining  the  binary 
transition  relation  A  over  action  expressions  first,  then  over  sequential  processes,  and  finally  over 
programs.  In  each  case,  execution  of  a  takes  the  action  expression  (sequential  process,  program) 
to  a  new  action  expression  (sequential  process,  program  resp.).  In  order  to  avoid  the  well-known 
phenomenon  that  the  behavior  of  P  J  P  and  e;  P  ]  £;  P  is  different  even  though  they  are  “equal” ,  we 
stipulate  that  the  transition  relation  cannot  be  applied  to  0  and  e,  i.e.,  A  and  A  are  not  defined. 
This  does  not  cause  any  difficulties,  since  e  and  0  can  always  be  eliminated  from  an  expression 
using  the  above  axioms,  after  which  the  transition  relation  can  be  applied.  This  stipulation  means 
that  0  and  e  axe  never  executed. 

Definition  7  ( Transition  Relation  A ) 

The  transitions  generated  by  action  a  are  as  follows : 

Act.  - - — 

(a;  P)  AP 

,  pAp'  PAP' 
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E-^E' 

(E;F)A(E';F) 


Iter 


{{Ey,*E)^E' 

*£;Ae' 


We  extend  A  to  processes  by  stipulating  that  Pi  —^Pl  iff  body{Pi)  body{Pl)  and  alphabet{Pi)  — 
alphabet{Pl),  In  other  words,  the  alphabets  are  the  same  and  the  bodies  are  related  by  A .  Finally, 
we  extend  A  to  programs  as  follows: 

LetP  =  {\\ieip:  Pi),  P'  =  (||  i  E  :  Pi).  Then  P  AP'  iff: 

1,  for  all  i  E  PAp{a)  :  Pi  A  Pi 

2.  for  all  i  G  (p  —  PAp{a)  :  Pi  =  Pi 


Definition  8  {Ready,  Enabled,  Disabled) 

For  a  process  Pi,  we  write  Pi  A  to  mean  that  there  exists  a  Pi  such  that  Pi^Pl.  We  say  that  Pi 
readies  a  in  this  case. 

For  a  program  P,  we  write  PA’  to  mean  that  there  exists  a  P'  such  that  P  A  P'.  In  this  case,  we 

say  that  P  enables  a,  or  that  a  is  enabled  in  P.  We  also  write  P  ^  to  mean  that  there  does  not 
exist  a  P'  such  that  P  A  P',  and  we  say  that  a  is  disabled  in  P  in  this  case. 

Suppose  Pi  A .  Then  the  general  form  for  the  body  of  Pi  is  P;  *E,  where  F  has  one  of  the 
forms  c,  c-,G,cl  H,c;G  I  H.  All  of  these  forms  are  subsumed  by  the  form  c;  G  1  H  however,  since 
c  =  c;  e  1  0,  c;  G  =  c;  G  B  0,  c  I  G  =  c;  e  I  G.  Thus  the  introduction  of  0  and  s  allows  us  to  avoid  a 
large  amount  of  tedious  case-analysis.  We  now  present  some  preliminary  definitions  and  results. 


Definition  9  {Derivative,  Path) 

If  p2\  ...  ^p!  for  some  sequence  ax,...,  an  of  actions,  then  (again  following  [Milner  89])  we  say 
that  P'  is  a  derivative  of  P.  The  sequence  ax, . . .  ,an  is  called  a  path.  If  path  tt  =  oi, . . . ,  an,  then 
we  abbreviate  P  A  •  •  •  A  P'  by  P  -A  P'. 

A  path  is  also  called  a  computation. 

Definition  10  {Maximal  Path) 

A  path  that  is  either  infinite  or  ends  in  a  derivative  that  has  no  enabled  actions  is  called  maximal. 

Consider  a  program  consisting  of  a  single  process  Pi  =  *[o;  &  |  Oj  c].  Clearly,  Pi  {b,  Pi),^and 
p^  (c;  Pi).  This  example  can  easily  be  extended  to  arbitrary  paths.  Thus,  establishing  P  -¥  P' 
and  P  -^P"  for  some  P,7r,P',P",  does  not  allow  us  to  conclude  P'  =  P" .  Thus,  if  P  and  tt  are 
given,  then  the  assertion  P  A  P'  can  be  regarded  as  an  abbreviation  for  “let  P  A  P'  for  some  P'.” 

Suppose  we  have  a  path  tt  =  7r'6c7r".  Then,  the  path  id  dm"  is  said  to  be  obtained  from  tt  by  a 
single  exchange  of  actions  b  and  c. 
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Definition  11  {Independent) 

Two  actions  b,c  are  independent  in  program  P  iff  PAp{b)  nPAp{c)  =  0 
Definition  12  {Equivalent) 

Two  paths  TT,  p  are  equivalent  (tt  =  p)  iff  one  can  be  obtained  from  the  other  by  a  finite  or  countably 
infinite  number  of  exchanges  of  adjacent  independent  actions  (with  the  restriction  that  each  action 
can  be  subjected  to  only  a  finite  number  of  exchanges). 

Proposition  1  If  actions  6,  c  are  independent  in  program  P,  and  then  P-^P\ 

Proposition  2  Let  P  -^Q.  If  n  and  p  are  equivalent,  then  P-^Q. 

3  Correctness  Properties  of  Programs 

As  stated  in  the  introduction,  the  correctness  properties  that  our  transformations  preserve  are 
deadlock-freedom  and  temporal  leads-to.  We  define  these  properties  as  follows. 

Definition  13  {Deadlock-Freedom) 

If  for  every  derivative  P'  of  P,  there  is  some  action  a  such  that  P'  A ,  then  P  is  deadlock-free. 

As  our  concern  here  is  with  nonterminating,  reactive,  concurrent  programs,  the  property  of 
deadlock-freedom  is  a  crucial  one,  and  indeed  is  a  prerequisite  for  demonstrating  that  our  transfor¬ 
mations  preserve  the  temporal  leads-to  property. 

Definition  14  ( Temporal  Leads-to,  a^^b,  \=  a  ^  b) 

A  computation  tt  satisfies  a  ^  b  iff  every  occurrence  of  a  along  tt  is  eventually  followed  by  an 
occurrence  ofb. 

A  program  P  satisfies  a'-^b  iff  every  maximal  computation  of  P  satisfies  a^b. 

We  write  'K\=a^b,P\=a'^b  for  tt  satisfies  a^b,  P  satisfies  b  respectively. 

Temporal  leads-to  is  a  particular  form  of  liveness  property  that  is  very  useful  in  verifying  that 
distributed  systems  interact  properly  with  their  environment.  For  example,  every  request  must 
“lead-to”  a  suitable  response.  Temporal  leads-to  properties  are  also  interesting  because  they  can 
be  easily  composed.  For  example,  if  a  6,  and  b  ^  c,  then  a  c  (i.e.,  ^  is  transitive).  Thus, 
a  leads-to  property  ai  an  can  be  established  as  a  sequence  of  leads-to  properties  ai  02, 
02  U3,  Cbji-i  Each  of  these  intermediate  leads-to  properties  would  presumably  be 

established  by  a  single  transformation,  and  then  ai  ^  On  would  be  established  by  the  sequence  of 
these  transformations. 

In  establishing  liveness  properties,  the  notion  of  fairness  is  useful.  A  fair  scheduling  notion 
usually  specifies  that  if  an  action  is  enabled  “sufficiently  often,”  then  it  is  eventually  executed 
(where  different  fairness  notions  have  different  specifications  for  “sufficiently  often”).  For  our 
purposes,  the  following  notion  suffices. 

Definition  15  ( Weak  Action  Fairness) 

The  fairness  notion  weak  action  fairness,  denoted  is  as  follows: 

if  an  action  is  enabled  continuously  from  some  point  onwards,  then  it  is  eventually  executed. 
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In  the  sequel,  we  shall  use  “fairness”  as  an  abbreviation  for  weak  action  fairness. 

Definition  16  {Fair  Computation) 

A  computation  tt  is  fair  iff  tt  has  no  suffix  along  which  some  action  is  enabled  continuously  but 
never  executed. 

Definition  17  {Fair  a'^b,  f=$  a  6) 

A  program  P  satisfies  a^  b  with  respect  to  weak  fairness  iff  every  maximal  fair  computation  of  P 
satisfies  a^b. 

We  write  P  |=$  a  &  for  P  satisfies  a^b  with  respect  to  weak  fairness. 

4  The  Transformations 

As  stated  in  the  introduction,  our  transformations  decompose  an  action  c  into  possibly  nested 
sequences  and/or  choices  of  “smaller”  actions.  Thus,  every  occurrence  of  c  in  some  process  Pi  is 
replaced  by  an  action  expression  Ei  that  specifies  the  decomposition  of  fj’s  part  in  action  c.  Since 
c  has,  in  general,  more  than  one  participant  process,  we  are  lead  to  the  following  definition. 

Definition  18  {Program  Fragment,  Process  Fragment) 

Let  P  be  a  program  and  c  G  alphabet{P).  For  each  i  €  PAp{c),  let  Ei  be  an  action  expression  such 
that  alphabet{Ei)  D  alphabet{P)  =  0.  Then  .B  =  ( 1|  i  G  PAp{c)  :  Ei)  is  a  program  fragment  for  P 
with  respect  to  c,  and  each  Ei  is  a  process  firagment  for  Pi  with  respect  to  c. 

We  have  identified  three  transformations  that  can  be  used  to  refine  programs  for  concurrent 
systems  (we  take  our  “high-level”  programs  to  be,  in  effect,  executable  specifications).  Given  a 
program  fragment  =  ( 1|  i  e  ip  :  Ei)  for  P  with  respect  to  c,  our  transformations  are  as  follows: 

1.  The  transformation  [c/c;E]:  every  occmrence  of  c  in  Pi  (for  all  i  G  PAp{c))  is  replaced  by 
c;Ei. 

2.  The  transformation  [c/E;c]:  every  occurrence  of  c  in  Pj  (for  all  i  G  PAp{c))  is  replaced  by 
Ei-,c. 

3.  The  transformation  [cjE]:  every  occurrence  of  c  in  P,  (for  all  i  G  PAp{c))  is  replaced  by  Ei. 

To  facilitate  the  formal  definition  of  these  transformation,  we  first  define  our  notion  of  syntactic 
substitution. 

Definition  19  {Syntactic  Substitution) 

Let  a  be  an  arbitrary  action,  and  E,  G,  H  be  arbitrary  action  expressions.  Then,  we  have 
e[c/E]  =  e 
0[c/E]  =  0 
a[c/P]  =  a  if  a^c 
c[c/P]  =  E 

{G  1  H){clE]  =  {{G[clE])  i  {H[clE\)) 

{G-,H)[clE\  =  {{G\clEMH[clE\)) 

In  the  sequelj  we  will  use  the  abbveviation  Gt  for  G[c/E]  for  an  arbitrary  action  expression  G* 
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The  following  definitions  will  also  be  useful  in  the  subsequent  technical  discussion. 


Definition  20  {initial{Ei) ,  initial{E)) 

Let  E  —  {\[i  £%!)  \  Ei)  be  a  program  fragment  for  P  with  respect  to  c.  Then  initial{Ei)  =  {a  |  A  }, 
and  initial{E)  =  {a  |  A  }. 

In  other  words,  initial{Ei)^  initial{E)  are  the  sets  of  actions  that  are  the  first  actions  executable 
hy  Ei^  E  respectively. 

We  say  that  a  process  Pi  enters  E  iff  Pi  executes  an  action  in  initial  {E), 

Example  1  If  E  =  {Ei  ::  a\b)  ||  {E2  ::  (6;d)  |  a),  then  initial{E2)  =  {a, 6},  and  initial (E)  —  {a}. 
Definition  21  {choice{Pi,c)) 

Let  Pi  be  a  process  and  c  G  alphabet{Pi) .  Then  choice{Pi,c)  =  {d  \  "c  []  d”  occurs  in  body{Pi)}. 

In  other  words,  choice{Pi,c)  is  the  set  of  all  actions  that  Pi  could  execute  as  an  alternative  choice 
to  executing  c. 

4.1  The  Transformation  [c/c;  E] 

Definition  22  {Transformation  [c/c;E]) 

We  define  the  transformation  [c/c;E]  in  a  bottom-up  manner  as  follows.  For  an  arbitrary  pro¬ 
cess  Pi  such  that  c  €  alphabet{Pi) ,  and  body{Pi)  =  if;  for  some  action  expressions  il,  G,  define 
Pi[c/c;E]  =  Qij  where  alphabet{Qi)  =  alphabet{Pi)  U alphabet{E) j  body{Qi)  =  H[c/c]E]]^{G[c/c;E]). 

Let  P  =  ( II  i  E  (p  :  Pi)  be  an  arbitrary  program.  We  define 

P[c/c;E]  =  (  II  i  G  PAp{c)  :  P^c/qP])  ||  i\\ie^-  PAp{c)  :  P^). 

4.2  The  Transformation  [c/P;  c] 

Definition  23  {Transformation  [c/P;c]) 

We  define  transformation  [c/P;c]  in  a  bottom-up  manner  as  follows.  For  an  arbitrary  process 
Pi  such  that  c  E  alphabet{Pi) ,  and  body{Pi)  =  H;^G  for  some  action  expressions  H^G,  define 
Pi[c/P;c]  =  Qi,  where  alphabet{Qi)  =  alphabet{Pi)  \J alphabet{E) ,  body{Qi)  =  P'[c/P;  c];  *(G[c/P;  c]). 

Let  P  =  (  II  i  E  (f  :  Pi)  be  an  arbitrary  program.  We  define 

P[c/P;c]  =  (  II  i  G  PAp{c)  :  Pi[c/P;c])  ||  (1|  i  G  ^  -  P^p(c)  :  P,). 

4.3  The  Transformation  [c/E] 

Definition  24  {Transformation  [c/E]) 

We  define  the  transformation  [c/E]  in  a  bottom-up  manner  as  follows.  For  an  arbitrary  process 
Pi  such  that  c  E  alphabet{Pi) j  and  body{Pi)  =  if;*G  for  some  action  expressions  H^G,  define 
Pi[c/E]  =  Qij  where  alphabet{Qi)  =  alphabet{Pi)  U  alphabet{E)j  body{Qi)  —  H[c/E]\^{G[c/E]). 

Let  P  =  (  II  i  E  (p  :  Pi)  be  an  arbitrary  program.  We  define 

P[c/E]  -  (II  z  G  PAp{c)  :  Pi[c/E])  \\  {\\ie<p--  PAp{c)  :  P^). 
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5  Soundness  of  the  Transformations 


All  of  our  transformations  have  associated  applicability  conditions  that  determine  when  the  trans¬ 
formations  can  be  used.  These  applicability  conditions  are  needed  in  order  to  avoid  the  following 
problems  that  can  arise  when  applying  a  transformation: 

•  Introduction  of  deadlock:  The  original  program  is  deadlock-free  but  the  transformed  program 
is  deadlock-prone. 

•  Partial  execution:  The  action  c  in  the  original  program  is  atomic^  i.e.,  either  it  is  executed  to 
completion  or  not  at  all.  When  c  is  refined  into  (for  example)  it  is  possible  for  situations 
to  arise  where  E  is  only  partially  executed.  This  is  undesirable,  since  an  execution  of  c  in  the 
original  program  corresponds  to  a  complete  execution  of  E  in  the  transformed  program.  A 
partial  execution  of  E  therefore,  corresponds  to  no  behavior  of  the  original  program.  Hence 
the  transformed  program  exhibits  behavior  that  could  never  be  exhibited  by  the  original 
program.  This  makes  it  impossible  (usually)  to  verify  that  the  desired  correctness  properties 
embodied  in  the  original  program  have  been  preserved  by  the  transformed  program. 

•  Uncoordinated  entry:  It  is  possible  that  some  participants  of  c  start  executing  E  (in  the 
refined  program)  but  others  never  enter  their  corresponding  parts  of  E. 

In  effect,  these  applicability  conditions  test  for  certain  properties  of  programs  that  guarantee  the 
absence  of  the  problems  discussed  above. 

5.1  The  Applicability  Conditions 

We  now  present  and  define  formally  the  applicability  conditions  that  must  be  satisfied  in  order 
for  our  transformations  to  preserve  the  correctness  properties  of  deadlock-freedom  and  temporal 
leads-to.  We  shall  need  the  following  definition. 

Definition  25  (E) 

Let  E  =  {\\  i  G  ip  :  Ei)  be  a  program  fragment  Then  £  =  ( ||  i  E  (p  :  Ei]0), 

E  is  a,  program  whose  computations  are  those  that  can  be  generated  by  executing  each  process 
fragment  Ei  exactly  once. 

The  single  iteration  property  states  that  any  partial  execution  of  E  (in  isolation)  can  always  be 
completed  into  a  full  execution  of  E.  In  other  words,  if  E  is  regarded  as  a  program  and  executed 
in  isolation,  then  every  process  (i.e.,  the  Ei^i  E  p)  is  guaranteed  to  execute  its  body  to  completion. 
This  condition  is  crucial  in  establishing  that  neither  partial  execution  nor  deadlock  (see  above)  occur 
in  the  transformed  program. 

Definition  26  {The  Single-Iteration  Property) 

Let  £?  =  (  II  i  E  p  :  Ei)  be  a  program  fragment  Then  E  has  the  single-iteration  property  iff  for 
every  derivative  F  of  E,  there  exists  a  path  tt  such  that  F  — >  ( |1  i  E  p  :  0). 

Definition  27  {The  Loose-Synchronization  Property) 

Let  E  =  {\\  i  E  p  :  Ei)  be  a  program  fragment  Then  E  has  the  loose-synchronization  property  iff 
E  has  no  derivative  of  the  form  ( ||  i  E  p'  :  Ei]  0)  |1  (  H  ^  G  p^'  :  Ff,  0)  H  (  H  i  G  (p'"  :  0),  where  (/?', 
p'”  are  nonempty,  and  p',  partition  p. 
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In  effect,  the  loose  synchronization  property  states  that  it  is  impossible  for  a  subset  of  the  processes 
in  (p  to  execute  a  complete  iteration  of  their  process  fragments  Ei  while  another  subset  has  not  yet 
started.  Hence,  all  the  participants  of  c  are  loosely  synchronized  in  that  at  some  point,  they  must 
simultaneously  all  be  in  E. 

Definition  28  {The  No- Overtaking  Property) 

Let  E  =  {\\  ietp:  Ei)  be  a  program  fragment.  Then  E  has  the  no-overtaking  property  iff  for  every 
derivative  of  E  of  the  form  (  ||  i^ip'  :  Fi;0)  ||  (  ||  i  €  (p"  :  0),  (where  (p',(p"  partition  (p),  we  have 
{\JiQ,f,i alphabet {Fi))  fl  {l)jeip"alphabet{Ej))  =  0. 

In  effect,  the  no-overtaking  property  states  that  it  is  impossible  for  a  subset  of  the  processes  in  (p 
to  execute  a  complete  iteration  of  their  process  fragments  Ei  and  then  loop  around  and  interact 
with  the  other  processes  that  have  yet  to  complete  the  first  iteration.  This  allows  us  to  establish  a 
“separation”  between  successive  iterations  of  E:  a  process  executing  the  n'th  iteration  of  E  cannot 
interact  with  a  process  executing  the  n  +  I'st  iteration  of  E. 

Our  next  applicability  condition  is  conspiracy-resistance.  The  conspiracy-resistance  property 
states  that,  if  the  processes  that  ready  a  particular  action  a  are  frozen  (i.e.,  not  allowed  to  execute 
any  action),  then  that  freezing  does  not  prevent  yet  another  participant  of  a  from  eventually 
readying  a.  This  property  is  used  in  proving  that  partial  execution  does  not  occur  in  the  transformed 
program  (since  all  of  the  participants  of  E  eventually  ready  E  and  so  E  is  executed  to  completion. 

For  a  more  extensive  discussion  of  conspiracy-resistance,  the  reader  is  referred  to  [Attie  et.  al.  93]. 
To  formally  define  conspiracy  resistance,  we  must  first  define  the  concept  of  (a,  A) -derived  program. 

Definition  29  ((a.  A) -derived  propram) 

Let  P  be  a  program  and  let  a  G  alphabet{P),  and  A  C  PAp{a).  The  (a,  A)-derived  program  Pa, a 
is  obtained  from  P  by  replacing  with  0  every  occurrence  of  b  (where  b^  a)  that  occurs  in  a  choice 
with  a,  in  every  process  Pi  G  A. 

Definition  30  {Conspiracy  Resistance) 

An  action  a  is  conspiracy  resistant  in  a  program  P  iff  for  every  computation  n  of  P  the  following 
condition  holds: 

Let  TTi  be  any  finite  prefix  of  ir  ending  in  the  derivative  P' ,  and  let  PA^  be  the  set  of  all 
the  participants  of  a  that  ready  a  in  P' .  Then,  for  every  computation  of  the  {a,  PA^)- 
derived  program  P'^  obtained  from  P' ,  there  exists  a  participant  Pj  G  {PAa  —  PAa) 
such  that  Pj  eventually  readies  a  along  7r2. 

The  third  applicability  condition  is  coordinated-entry.  Conspiracy  resistance  guarantees  that 
every  participant  of  E  eventually  readies  E.  However,  once  E  is  readied,  it  is  still  possible  for  the 
participant  process  to  execute  actions  not  in  E  (if  E  occurs  in  a  choice).  The  coordinated-entry 
condition  guarantees  that,  if  one  of  the  participants  of  E  has  actually  chosen  E  for  execution,  then 
they  will  all  do  so. 

Definition  31  {Coordinated  Entry) 

We  say  that  a  program  fragment  S  =  ( ||  i  €  (p  :  Ei)  is  coordinated-entry  with  respect  to  a  program 
P  =  (  II  i  G.<p  :  Pi)  and  an  action  c  G  alphabet{P)  iff  there  exists  a -tp  C  ip  such  that: 
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/\hj  ^  ^  •  initial{Ei)  =  initial{Ej)  A initial{Ei)  C  initial{E) 

2.  /\i  E  (p  —  'ip  :  initial{Ei)  fl  initial{E)  =  0 
5.  —  choice{Pi,c)  fl  {Ui^^alphabet{P))  ^  0 


The  first  clause  says  that  every  initial  action  of  E  is  an  initial  action  of  every  Ei^  i  £  ^jj.  Hence, 
every  process  fragment  i  G  participates  in  every  initial  action  of  E.  The  second  clause  says 
that  no  initial  action  of  Ei^  i  is  an  initial  action  of  E.  In  other  words,  the  process  fragments 
Ei^  i  never  participate  in  any  initial  action  of  E.  These  two  clauses  together  imply  that  it  is 
the  process  fragments  in  'ip  that  control  the  entry  into  E  for  all  processes.  The  third  clause  says 
that  every  action  that  is  a  possible  alternative  choice  to  entering  E  must  have  some  participant 
process  with  index  in  ^p.  Thus,  the  alternatives  to  entering  E  are  controlled  by  the  processes  in 
'ip.  Hence,  in  the  transformed  program,  if  a  process  Pi  E'lp  arrives  at  the  choice  point  where  it  can 
either  enter  E  or  execute  an  alternative  action,  there  are  two  possibilities: 

1.  Pi  enters  E.  In  this  case,  every  process  in  ^  must  enter  E  simultaneously  with  Pi,  by  clause 
1.  Also,  by  clause  3,  no  process  outside  'ip  can  execute  an  action  not  in  E  upon  reaching  the 
choice  point. 

2.  Pi  executes  an  action  not  in  E,  In  this  case,  no  process  in  'ip  can  enter  E  upon  reaching  the 
choice  point,  since  the  processes  in  'ip  must  enter  E  together  (by  clause  1).  By  clause  2,  no 
process  outside  'ip  can  enter  E  upon  reaching  the  choice  point,  since  these  processes  can  only 
enter  E  by  interacting  with  some  process  in  'ip  that  hats  already  entered  E. 

Hence  we  see  that  in  both  cases  all  processes  make  the  same  decision  about  whether  or  not  to  enter 
E, 

We  now  give  the  exact  applicability  conditions  for  each  transformation.  We  assume,  in  the  rest  of 
the  paper  (except  the  example),  that  these  conditions  are  always  met  whenever  the  transformation 
is  mentioned. 

Definition  32  (Applicability  Conditions  for  the  Transformation  [c/c]E]) 

The  applicability  conditions  for  [c/c;  E\  are  as  follows: 

1.  alphabet(E)  fl  alphabet{P)  =  0. 

2.  E  has  the  single-iteration  property. 

Definition  33  {Applicability  Conditions  for  the  Transformation  [c/E\c]) 

The  applicability  conditions  for  [c/E]c]  are  as  follows: 

1.  alphabet(E)  fl  alphabet(P)  =  0. 

2.  E  has  the  single-iteration  property. 

3.  c  is  conspiracy  resistant  in  P. 

4.  E  is  coordinated- entry  with  respect  to  P  and  c. 
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Definition  34  (Applicability  Conditions  for  the  Transformation  [c/E]) 

The  applicability  conditions  for  [c/ E\  are  as  follows: 

1.  alphabet(E)  D  alphabet(P)  =  0. 

2.  E  has  the  single-iteration  property. 

3.  c  is  conspiracy  resistant  in  P. 

4-  E  is  coordinated-entry  with  respect  to  P  and  c. 

5.  E  has  the  loose-synchronization  property. 

6.  E  has  the  no-overtaking  property. 

5.2  Layering  Results 

Our  proof  strategy  rests  on  the  following  lemmas,  which  show  that  for  every  computation  of  the 
transformed  program,  there  exists  an  equivalent  “layered”  computation  in  which  all  the  actions  of 
(every  iteration  of)  E  are  executed  contiguously,  i.e.,  with  no  actions  outside  E  occurring  in  between 
two  actions  from  E.  This  allows  us  to  establish  a  natural  correspondence  between  computations 
of  the  original  program  P  and  the  transformed  program  Q  :  a  computation  tt  of  P  corresponds  to 
every  layered  computation  p  of  Q  that  results  from  vr  by  replacing  every  execution  of  c  in  tt  by  a 
contiguous  execution  of  E.  The  correspondence  is  extended  to  unlayered  computations  of  Q  using 
the  equivalence  relation  over  computations:  if  vr  corresponds  to  p,  and  p  =  p' ,  then  n  corresponds 
to  p'.  Since  there  is,  in  general,  more  than  one  way  to  execute  E,  the  correspondence  relation  can 
be  seen  as  relating  a  single  computation  of  P  to  a  countably  infinite  number  of  equivalence  classes 
of  computations  of  Q. 

Lemma  3  Let  Q  =  P[c/c-,E].  For  every  computation  tt  of  Q,  there  exists  an  equivalent  layered 
computation  tt'. 

Lemma  4  Let  Q  =  P[c/E;c].  For  every  computation  tt  of  Q,  there  exists  an  equivalent  layered 
computation  tt'. 

Lemma  5  Let  Q  =  P[c/-B].  For  every  computation  tt  of  Q,  there  exists  an  equivalent  layered 
computation  tt'. 

5.3  Deadlock-Freedom  Results 

Our  deadlock  freedom  results  are  straightforward:  all  of  our  transformations  preserve  the  property 
of  deadlock  freedom.  Thus,  if  the  original  program  is  deadlock  free,  then  so  is  the  transformed 
program. 

Theorem  6  Let  Q  =  P[c/c;E].  If  P  is  deadlock-free,  then  so  is  Q. 

Theorem  7  Let  Q  =  P[c/P;c].  If  P  is  deadlock-free,  then  so  is  Q. 

Theorem  8  Let  Q  —  P[c/E].  If  P  is  deadlock-free,  then  so  is  Q. 
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5.4  Temporal  Leads-to  Results 

We  assume,  in  this  section,  that  P  is  deadlock  free  (and  hence  Q  is  too  by  the  deadlock-freedom 
results  above).  We  group  the  liveness  results  for  each  transformation.  The  first  theorem  of  each 
group  expresses  the  preservation  (by  the  transformations)  of  leads-to  properties  satisfied  by  the 
original  program.  The  second  theorem  of  each  group  expresses  the  preservation  (by  the  transfor¬ 
mations)  of  leads-to  properties  satisfied  by  the  program  fragment  E  used  in  the  transformation. 
For  the  third  theorem  of  each  group,  we  first  need  the  following  definition. 

Definition  35  (O) 

Let  E  =  {\\  i  €  If  Ei)  be  a  program  fragment,  and  let  E  =  {\\  i  &  '■  Ei]Q).  Then  E  Ob  iff 

every  computation  of  E  contains  b. 

Now  suppose  the  original  program  P  satisfies  a  c.  This  would  then  imply  that  in  the 
transformed  program  Q,  if  a  is  executed,  then  eventually  a  derivative  is  reached  where  entering 
E  is  the  only  possible  continuation  (otherwise,  there  would  be  an  alternative  to  c  in  P,  and  so 
P  1=  o  c  would  not  hold).  Hence,  if  executing  b  is  inevitable  once  E  is  entered,  it  then  follows 
that  a  leads  to  b  in  Q.  This  is  expressed  by  the  third  theorem  of  each  group. 

5.4.1  Liveness  Results  for  The  Transformation  [c/c;P] 

Theorem  9  Let  Q  =  P[c/c',E].  If  PAp{a)  nPAp{b)  ^  0  and  P  |=$  a^b,  then  Q  a'^b. 
Theorem  10  Let  Q  =  P[c/c; E\.  If  PApia)  n  PApib)  ^  <1^  and  E  \=  b,  then  Q\^^a'^b. 
Theorem  11  Let  Q  =  P[c/c;  E].  //  P  |=$  a  c,  and  E  |=  Ob,  then  Q  [=$  a  6. 

5.4.2  Liveness  Results  for  The  Transformation  [c/P;c] 

Theorem  12  Let  Q  =  P[c/P;c].  If  P Ap{a)  r\PAp{b)  ^  0  and  P  |=$  b,  then  Q  a^h. 
Theorem  13  Let  Q  =  P[c/P; c].  If  PApia)  n PAp{h)  5^  0  and  E\=a'^h,  then  Q  |=$  a ^  6. 
Theorem  14  Let  Q  =  P[c/J5;  c].  If  P  |=$  a'^  c,  and  E  ^  Ob,  then  Q  b. 

5.4.3  Liveness  Results  for  The  Transformation  [c/E] 

Theorem  15  Let  Q  =  P[c/P].  If  PApia)  n PAp{bi)  ^  0  and  P  a'^  b,  then  Q  b. 

Theorem  16  Let  Q  =  P[c/E].  If  PAp{a)  D  PAp{b)  ^  0  and  P  |=  a  6,  then  Q  )=$  a  6. 
Theorem  17  Let  Q  =  P[c/E].  7/  P  a  c,  and  E  |=  Ob,  then  <5  |=$  o  6. 
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6  Example:  Mobile  Cellular  Phone  System 


We  now  illustrate  the  use  of  the  transformations  to  establish  deadlock  freedom  and  progress  prop¬ 
erties.  The  example  we  use  is  a  solution  to  the  mobile  cellular  telephone  handoff  problem,  for  which 
we  first  give  an  informal  description. 

6.1  Informal  Problem  Description 

A  mobile  telephone  system  has  a  fixed  number,  N,  of  mobile  telephones  (henceforth  called  mobiles), 
and  a  fixed  number,  M,  of  message  switching  centers  (henceforth  called  msc’s).  Normally,  each 
mobile  has  a  radio  link  with  exactly  one  msc,  which  is  called  that  mobile’s  manager,  all  calls  to 
the  mobile  being  routed  by  trunk  lines  to  this  msc,  and  then  by  radio  to  the  mobile.  The  mobile, 
however,  may  move  away  from  the  msc  so  that  eventually  the  signal  quality  between  the  mobile 
and  the  msc  deteriorates  to  an  unacceptable  level.  When  this  happens,  management  of  the  mobile 
must  be  transferred  to  another  msc  with  which  it  has  a  better  signal.  This  transfer  operation  is 
called  a  handoff . 

Informally,  the  system  operates  as  follows:  Each  msc  repeatedly  performs  a  signal-level  check 
on  all  mobiles  that  it  handles.  When  a  signal-level  check  indicates  that  the  signal  quality  has 
deteriorated  to  an  unacceptable  level,  the  following  events  occur  in  sequence: 

1.  the  msc  synchronizes  with  all  other  msc’s 

2.  all  of  the  msc’s  perform  a  signal-level  check  with  the  mobile 

3.  an  election  is  performed  to  determine  the  msc  with  the  highest  signal  level 

4.  a  handoff  is  performed  between  the  old  and  new  msc’s 

The  interactions  corresponding  to  these  events  are: 

•  chk:  a  managing  msc  interacts  with  a  mobile  to  determine  the  strength  of  the  signal  between 
them.  This  is  called  a  “signal-level  check.” 

•  synch:  used  to  synchronize  all  of  the  msc’s  as  a  preliminary  to  electing  a  new  msc  to  handle 
a  particular  mobile 

•  psc:  a  signal-level  check  performed  prior  to  an  election 

•  el:  the  election  of  a  new  msc 

•  st:  the  preliminary  setting  up  of  trunk  lines  just  prior  to  a  handoff 

•  ho:  the  handoff 

There  are  no  safety  specifications  in  this  system.  The  liveness  specification  may  be  stated  informally 
as: 

If  the  signal  between  a  particular  mobile  and  it’s  msc  deteriorates  to  an  unacceptable  level, 
then,  provided  the  mobile  has  not  moved  outside  the  area  of  coverage,  it  will  eventually  be  handed 
off  to  an  msc  with  whom  it  has  adequate  signal  strength. 

The  problem  description  was  obtained  from  the  Electronic  Industries  Association  Interim  Stan¬ 
dard,  “Cellular  Radiotelecommunication  Intersystem  Operations:  Intersystem  Handoff,”  [EIA87]. 
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6.2  The  Example 


We  consider  a  system  consisting  of  one  mobile  {mb)  and  two  msc’s  (mcl,mc2).  Our  initial  high- 
level  model  of  the  system  is  given  in  figure  1.  There  are  only  two  actions:  coordi  models  the  case 
where  the  mobile  is  being  managed  by  mcl,  and  coorda  models  the  case  where  the  mobile  is  being 
managed  by  7nc2. 

We  apply  the  transformation  [cjE]  to  program  1,  where  c  =  coordi,  and  E  = 
(^1  ::  chki\ {ah  ||  {bti;psci)))  ||  {E2  chkv,  {ah  J  {bh-,synchi\psci)))  1|  {E3  ::  ah  1  {synchi-,psci)). 

We  can  easily  check  that  the  applicability  conditions  for  [c/E]  are  met.  The  resulting  program 
2  is  shown  in  figure  2. 

Next  we  apply  the  transformation  [c/c;£]  to  program  2,  where  c  =  psci,  and  E  =  {Ei  :: 
hoii  O  /1012)  II  {E2  :■  eh',  {hon  |  {sh2',  hoi2)))  ||  {E3  ::eli-,{hon  |  {stn'ihon))). 

We  can  verify  that  the  applicability  conditions  for  [c/c;  E\  are  met.  The  resulting  program  3  is 
shown  in  figure  3. 

To  complete  the  derivation  of  the  program,  we  apply  symmetric  transformations  to  coord2. 
The  first  of  these  is  [c/E]  where  c  =  coord2,  and  E  —  {Ei  ::  chk2\{at2  |  {bt2\psc2)))  ||  {E2  " 
at2  I  {synch2\psc2))  ||  (^3  -  chk2\{at2  1  {bt2\synch2\psc2))). 

Applying  this  to  program  3  results  in  program  4,  given  in  figure  4. 

Finally,  we  apply  the  transformation  [cjc^E]  to  program  4,  where  c  =  psc2,  and  E  =  {Ei  :: 
h022  \h02i)  II  {E2  el2\{h022  \{st2i\h02i)))  II  {Ez  el2\{ho22\{st2i-,ho2i))).  The  resulting 

program  5,  given  in  figure  5,  is  our  final  program. 

6.3  Correctness  Properties  of  the  Final  Program 

Deadlock-freedom  of  program  1  is  trivially  verified  by  inspection.  Hence,  by  our  deadlock-freedom 
results,  we  conclude  that  program  5  is  deadlock-free.  By  using  our  liveness  results,  we  conclude  that 
program  5  satisfies  the  following  leads-to  properties.  We  list  the  relevant  transformation  to  the  left 
of  the  properties  (we  used  four  transformations,  so  we  refer  to  them  in  sequence  as  transformations 
1  through  4): 

Transformation  1:  bh  psci 

Transformation  2:  psci  eh 

Transformation  3:  bt2  psc2 

Transformation  4:  psc2  eh 

These  properties  can  be  composed  together,  using  the  transitivity  of  This  then  allows  us  to 
conclude  the  liveness  properties  that  result  from  composing  transformations: 

Transformation  1  followed  by  transformation  2:  bh  eli 

Transformation  3  followed  by  transformation  4:  bt2  eh 

We  remark  that,  given  program  5  only,  the  task  of  establishing  the  above  correctness  properties 
would  not  be  altogether  trivial.  A  complicated  invariant  would  have  to  be  established  to  prove 
deadlock-freedom  of  program  5,  and  an  argument  based  on  decreasing  bound  functions  or  “helpful 
directions”  would  be  used  to  show  liveness.  Such  arguments  can  be  formalized  using  deductive 
systems  for  temporal  logic  [Manna  et.  al.  94].  The  proofs  however,  are  usually  somewhat  involved. 

Finally,  we  note  that  program  5  is  slightly  sub-optimal:  mcl  participates  in  at2-  Since  at2 
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mb::  *[  coordi 
II  coord2 

] 

II 

mcl::  *[  coordi 
I  coord2 

] 

II 

mc2::  *[  coordi 
J  coord2 

] 


Figure  1:  Program  1 


mb::  *[  chki  ;  [  ati 

J  bti-,psci 


coord2 

] 

II 

mcl::  *[  chki  ;  [  ati 

J  bti  ;  synchi  ;  psci 

] 

1 

coord2 


mc2::  *[  [  ati 

I  synchi  ;  psci 


coord2 

] 


Figure  2:  Program  2 


mb::  *[  chki  ;  [  ati 

I  bti  ;  psci  ;  [  hon 
1  hoi2 
] 

] 

1 

coord2 

] 

II 

mcl::  *[  chk\  ;  [  at\ 

I  bti  ;  synchi  ;  psci  ;  eZi  ;  [  hon 

I  sti2  ;  hoi2 

] 

] 

I 

coord2 

] 

II 

mc2::  *[  [  aii 

y  synchi  i  PSCi  ;  e/i  ;  [  hou 

1  sti2  ;  hoi2 

] 

] 

fl 

coord2 

] 


Figure  3:  Program  3 
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mb::  *[ 


II 

mcl::  * 


II 

mc2:: 


chk\  ;  [  ail 

I  ht\  ;  psci  ;  [  hon 
1  hon 
] 

] 

chk2  ;  [  ah 

I  bt2  ;  psc2 

] 


[  chki  ;  [  ail 

II  bti  ;  synchi  ;  psci  ;  e^i  ;  [  hon 

I  sii2  ;  hon 

] 

] 

i 

[  ai2 

I  synch2  ;  psc2 

] 

] 

=[  [  ail 

J  synchi  ;  psci  ;  e/i  ;  [  hon 

I  stn  ;  hon 


I 

chk2  ;  [  ai2 

J  bt2  ;  synch2  ;  psc2 

] 

] 


Figure  4:  Program  4 
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mb::  *[  chki  ;  [  ati 

I  hti  ;  psci  ;  [  hon 
D  hoi2 

] 

] 

D 

chk2  ;  [  at2 

I  bt2  ;  psc2  ;  [  ho22 
I  ho2i 

] 

] 

] 

II 

mcl::  *[  chki  ;  [  ati 

I  bti  synchi  ;  psci  hon 

I  5^12  ;  hoi2 

] 

] 

i 

[  at2 

8 

synch2  ;  psc2  ]  eh  ][  ho22 

I  s<2i  ;  h02l 

] 

] 

] 

II 

mc2::  *[  [  ati 

I  synchi  ;  psci  ;  eli  ;  [  hon 

I  sti2  ;  hoi2 


chk2  ;  [  at2 

D  6<2  ;  synch2  ;  psc2  ;  e/2  ;  [  ho22 

I  5^21  ;  ho2i 

] 

] 


Figure  5:  Program  5 
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represents  the  positive  result  of  a  signal-level  check  between  mc2  and  mb  only,  there  is  no  need 
for  mcl  to  participate  in  ata-  However,  the  applicability  conditions  of  the  transformation  [c/E] 
required  this  participation.  Eliminating  this  phenomenon  would  require  designing  transformations 
that  permit  participant  elimination,  i.e.,  an  action  c  may  be  refined  into  a  fragment  E  w  ose 
execution  does  not  always  require  the  participation  of  all  the  processes  that  would  participate  in 
the  execution  of  c  (in  the  original  program).  Such  transformations  are  a  topic  for  future  work. 


7  Future  Work 

In  future  work,  we  intend  to  address  the  topic  of  how  to  verify  that  the  applicability  conditions  hoW. 
Some  of  the  conditions  (coordinated-entry,  alphabet{E)  n  alphabetiP)  =  0)  are  purely  syntactic, 
and  so  can  be  checked  algorithmically  in  an  efficient  manner.  The  remaining  condiUons  (single- 
iteration,  loose-synchronization,  no-overtaking,  conspiracy-resistance)  are  semantic.  Checking  them 
mechanically  may  incur  exponential  overhead.  We  plan  to  investigate  alternative  strategies.  It  may 
be  possible  to  “construct”  the  fragment  E,  using  a  set  of  “derivation  rules” ,  so  that  E  has  the  smgle_ 
iteration  and  no-overtaking  properties.  Furthermore,  one  might  then  be  able  to  show  that,  when 
is  constructed  in  this  certain  manner,  that  the  property  of  conspiraxiy  resistance  is  also  preserved 
by  the  transformations.  Thus,  we  are  preserving  a  property  (conspiracy-resistance)  not  because 
it  is  inherently  an  interesting  program  correctness  property,  but  because  it  is  an  apphcabi  i  y 
condition  for  our  transformations.  In  the  proposal  for  this  contract,  we  envisioned  doing  this  when 
the  applicability  condition  was  a  syntactic  property.  It  has  turned  out  to  be  useful  to  have  more 
complex  semantic  properties  as  the  applicability  conditions  for  our  transformations. 

Devising  a  methodology  for  ensuring  that  the  applicability  conditions  are  met  will  allow  us  to 
reason  much  more  powerfully  about  the  results  of  applying  sequences  of  transformations.  Currently 
we  can  infer  the  results  of  applying  a  sequence  of  transformations,  but  the  intermedmte  steps  of 
applying  the  transformations  incur  a  manual  verification  of  the  applicability  conditions.  When 
these  conditions  are  not  met,  we  currently  have  little  insight  into  why  this  is  so  and  how  we  can 
modify  the  derivation  sequence  of  transformations  to  ensure  that  the  applicability  conditions  for 
the  next  transformation  are  met. 


8  Conclusions 

In  this  paper  we  have  described  three  transformations  for  program  refinement  They  are  used  for 
refining  actions  into  nested  sequences  and  choices  of  more  refined  actions,  andjnay  be  viewed  as 
tools  for  decomposing  a  large  action  into  a  sequence  of  smaller  actions.  Such  decomposition  is 
a  natural  step  in  the  process  of  refining  programs.  We  proved  formally  that  our  transformations 
preserve  destdlock-freedom  and  temporal  leads-to. 

We  note  that  the  formal  correctness  proofs  for  the  transformations  are  somewhat  lengthy.  The 
salient  point,  however,  is  that  the  proofs  are,  in  effect,  reused  each  time  the  transformations  ^e 
applied.  A  more  traditional  proof  rule  for  program  correctness  [Chandy  et  al.  88,  Prancez  92 
Lamport  80]  has  a  shorter  formal  justification,  but  requires  the  designer  to  produce  a  manu^  proof 
each  time  the  rule  is  applied.  We  believe  that  it  is  much  more  effiemnt  to  verify  the  correctness  of 
a  transformation  that  can  be  reused  many  times,  even  if  the  proof  is  somewhat  lengthy. 

Correctness-preserving  transformations  for  distributed  systems  are,  in  principle,  a  foundation 
for  the  eventual  goal  of  compiling  abstract  specifications  into  architecturally  adequate  code.  Those 
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who  find  that  objective  too  distant  should,  nevertheless,  be  interested  in  the  medium-term  goal 
of  automating  certain  laborious  and  error-prone  parts  of  the  development  process.  An  interactive 
compiler  that  handles  much  of  the  labor  —  and  is  guaranteed  not  to  introduce  the  deadlocks  and 
other  errors  that  plague  concurrent  systems  —  would  be  valuable,  even  if  it  still  depends  heavily  on 
human  design  creativity.  This  research  is  designed  to  support  both  the  medium-  and  the  long-term 
goals. 
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A  Proofs  of  the  Theorems 

This  section  presents  the  proofs  of  all  propositions,  lemmas,  and  theorems  in  the  paper.  The 
following  definitions  will  be  useful: 

An  event  is  the  execution  of  an  action.  The  n'th  execution  of  an  action  a  along  some  computation 
TT  will  be  denoted  by  a". 

If  a",  are  two  events  along  tt,  with  a"  preceding  ft'",  then  we  denote  the  portion  of  tt  between 
o”  and  6*”  (including  a”,  6"*)  by  7r(a",6”). 

Let  Qi  be  a  process  which  contains  the  action  expression  Ei  inits  body.  We  say  Qi  is  at  Ei  is 
Qi  readies  the  actions  in  initial{Ei).  We  say  Qi  is  in  Ei  if  Qi  readies  some  action  of  Ei  not  in 
initial  (Ei). 

Let  Q  =  P[c/c-,E\.  If  TT  is  a  layered  computation  of  Q,  then  n  <  c-,E/c  >  denotes  the  compu¬ 
tation  that  results  from  removing  all  events  of  E  from  tt. 

Let  Q  =  P[c/E‘,e].  If  tt  is  a  layered  computation  of  Q,  then  n  <  E;cfc>  denotes  the  compu¬ 
tation  that  results  from  removing  all  events  of  E  fi:om  tt. 

Let  Q  =  P[c/E].  If  TT  is  a  layered  computation  of  Q,  then  tt  <  E/c>  denotes  the  computation 
that  results  from  removing  all  events  of  E  from  tt. 

If  Q  results  from  P  by  applying  any  of  the  three  transformations,  then  let  E'"  denote  the  n'th 
iteration  of  E  (along  a  particular  computation  tt  of  Q).  We  say  a",  6"  are  adjacent  in  n  with  respect 
to  S'"  if  there  is  no  event  from  E"  in  the  portion  of  tt  between  a"  and  6".  (We  assume,  without 
loss  of  generality,  that  a”  precedes  6”  along  tt.) 

Proposition  1  If  actions  b,c  are  independent  in  program  P,  and  P-^P',  then  P  -^P'. 

Proof:  Since  b  and  c  are  independent  in  P,  we  have  PAp{b)  fl  PAp{c)  =  0  by  definition  11.  Let 
P  =  (II  i  e  :  Pi),  and  P"  be  such  that  P  A  P"  -4  P'.  Then,  by  definition  7, 

P"  =  (II  i  e  PAp{b)  :  P")  II  (II  i  e  v’  -  PAp{b)  :  Pi),  where  Pj  A  P^  for  all  i  e  PAp{b) 

Hence,  by  definition  7  and  PAp{b)  H  PAp{c)  =  0, 

P'  =  (II  i  G  PAp{b)  :  P[')  II  (II  i  €  PAp{c)  :  P/)  ||  {\\ieip-  {PAp{b)  U  PAp(c))  :  Pi), 
where  Pi  A  P/  for  all  i  G  PAp{c) 

By  Pi  A  Pi  for  alH  G  PAp{c)  and  definition  7, 

P  AP'"  where  P'"  =  (|M  G  PAp(c)  :  P/)  ||  (||  i  G  ¥>  -  PAp(c)  :  Pi) 

Then,  by  Pi  A  P"  for  alH  G  PAp{b)  and  definition  7, 

P'"  A  (II  z  G  PAp(c)  :  PI)  II  (II  i  G  PAp{b)  :  P^')  ||  (||  z  G  -  {PAp{b)  U  PAp(c))  :  Pi) 
Hence  P'"  A  P',  and  so  P  A  P'"  A  P'.  Thus  P  -A  P'.  □ 

Proposition  2  Let  P  -^Q.  If  'k  and  p  are  equivalent,  then  P-^Q, 

Proof:  The  proof  is  by  induction  on  the  number  m  of  exchanges  of  independent  adjacent  actions 
required  to  obtain  p  from  tt. 

Base  Case:  m  =  1. 


Now  p  is  obtained  from  it  by  one  exchange.  Hence  we  can  write  it  =  Tr'abTr",  p  =  it^bait'^  where  a,  b 
are  the  exchanged  independent  actions.  Thus  we  have 

pJI^p'^pnl^Q  (*) 

for  some  P',P". 

Since  a,  6  are  independent  in  P,  we  can  apply  proposition  1  to  P'  -^P",  thereby  concluding 
pi  pii  Using  this  result  and  (*)  we  have  P  P'  P"  Q.  Hence  P  Q.  Thus  the 
base  case  is  established. 

Induction  Step:  m  =  n  +  1,  n  >  1,  where  the  inductive  hypothesis  is  assumed  for  n  exchanges. 

Since  p  is  obtained  from  tt  by  n  -f  1  exchanges,  there  must  exist  a  t]  such  that  77  is  obtained  from  it 
by  n  exchanges,  and  p  is  obtained  from  rj  by  one  exchange.  By  the  inductive  hypothesis,  we  have 
P  Q.  Since  p  is  obtained  from  7]  by  one  exchange,  we  use  same  argument  as  employed  in  the 
base  case  (i.e.,  for  a  single  exchange)  to  conclude  P  -^Q.  This  establishes  the  induction  step.  □ 

Lemma  3  Let  Q  =  P[c/c]E],  For  every  computation  it  of  there  exists  an  equivalent  layered 
computation  it*. 

Proof:  Let  a”,  6”  denote  the  events  in  it  corresponding  to  the  execution  of  a,  b  in  the  n’th  iteration 
of  E.  Assume  that  aP'^b^  are  adjacent  in  it  with  respect  to  and,  without  loss  of  generality, 
assume  that  oP  precedes  b^  along  it.  Let  dP^  be  an  arbitrary  event  in  it{aP^b^).  By  definition  of 
adjacent^  is  not  an  event  of  E”.  Because  c  synchronizes  entry  to  E,  d  cannot  be  an  event  of 
E'^^m  ^  n.  Hence  dP^  is  an  event  of  P,  i.e.,  d  E  alphabet{P).  Since  c^  occurs  before  d^  along  tt, 
we  have  the  following  ordering: 

Now  any  Pi  E  PAq(6)  must  also  be  in  PAq{c)  by  definition  of  [c/c;P].  Hence  Pi  cannot  be  a 
participant  in  d  since  d  ^  alphabet{E)  (and  so  dP^  cannot  be  an  event  of  P”,  which  it  must  be  if  Pi 
participates  in  it).  Hence  d  and  b  are  independent  actions  and  so  can  be  commuted.  Since  d^  is 
an  arbitrary  event  between  d^  and  6^,  all  such  events  can  be  commuted.  Hence  aP^  6”  can  be  made 
strictly  adjacent,  i.e.,  with  no  other  events  at  all  in  between  them.  Since  a^,  b^  is  an  arbitrary  pair 
that  is  adjacent  with  respect  to  P”,  it  follows  that  all  such  pairs  can  be  brought  together.  Hence 
we  can  produce  an  equivalent  computation  in  which  the  events  of  E'^  form  a  single  contiguous 
subsequence.  Repeating  this  operation  for  all  P”  (i.e.,  for  all  values  of  n)  gives  us  the  computation 
tt'.  □ 

Lemma  4  Let  Q  =  P[c/P;c].  For  every  computation  it  of  Q,  there  exists  an  equivalent  layered 
computation  it*. 

Proof:  Let  a”,  denote  the  events  in  it  corresponding  to  the  execution  of  a,  b  in  the  n’th  iteration 
of  P.  Assume  that  d^^b^  are  adjacent  in  it  with  respect  to  P”,  and,  without  loss  of  generality, 
assume  that  a”  precedes  b^  along  it.  Let  dP^  be  an  arbitrary  event  in  7r(a”,6”).  By  definition  of 
adjacent^  dP^  is  not  an  event  of  E^.  Because  c  synchronizes  exit  from  P,  d  cannot  be  an  event  of 
E^,m  ^  n.  Hence  cP  is  an  event  of  P,  i.e.,  d  E  alphabet{P).  Since  c”  occurs  before  along  tt, 
we  have  the  following  ordering: 
a"  d^  6”  c” 

Now  any  Pi  E  PAg(6)  must  also  be  in  PAq{c)  by  definition  of  [c/P;c].  Hence  Pi  cannot  be  a 
participant  in  d  since  d  ^  alphabet{E)  (and  so  dP^  cannot  be  an  event  of  P^,  which  it  must  be  if  Pi 
participates  in  it).  Hence  d  and  a  are  independent  actions  and  so  can  be  commuted.  Since  dP'  is 
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an  arbitrary  event  between  a”  and  6",  all  such  events  can  be  commuted.  Hence  a”,  6”  can  be  made 
strictly  adjacent,  i.e.,  with  no  other  events  at  all  in  between  them.  Since  a",  6”  is  an  arbitrary  pair 
that  is  adjacent  with  respect  to  it  follows  that  all  such  pairs  can  be  brought  together.  Hence 
we  can  produce  an  equivalent  computation  in  which  the  events  of  E’^  form  a  single  contiguous 
subsequence.  Repeating  this  operation  for  all  EJ’’'  (i.e.,  for  all  values  of  Ti)  gives  us  the  computation 

V.  ° 

Lemma  5  Let  Q  =  P[c/E].  For  every  computation  tt  of  Q,  there  exists  an  equivalent  layered 
computation  tt'. 

Proof:  Let  a",  6”  denote  the  events  in  tt  corresponding  to  the  execution  of  o,  b  in  the  n’th  iteration 
of  E.  Assume  that  a",  6”  are  adjacent  in  tt  with  respect  to  jE7",  and,  without  loss  of  generality, 
assume  that  a"  precedes  6"  along  tt.  Let  cP  be  an  arbitrary  event  in  7r(a",6").  By  definition 
of  adjacent,  (P  is  not  an  event  of  £?".  By  the  no-overtaking  condition,  (P  cannot  be  an  event 
of  E^,m  ^  n.  Hence  tP  is  an  event  of  P,  i.e.,  d  G  alphabet{P).  Hence,  we  have  the  following 
ordering: 

a"  tP  6” 

Now  any  Pi  G  PAqid)  cannot  be  a  participant  in  both  a  and  b  since  d  ^  alphabet{E)  (and  so 
<P  cannot  be  an  event  of  E^,  which  it  must  be  if  Pi  participates  in  a,  6,  and  d).  Furthermore, 
if  a  and  d  have  some  process  in  common,  then  cP  follows  a"  causally  along  tt.  If  follows  that  no 
participant  Pi  of  d  can  execute  6"  after  it  has  executed  d'",  since  this  would  involve  Pi’s  leaving 
P”  to  execute  cP  and  then  re-entering  J5"  to  execute  6".  By  construction  of  [c/E],  this  behavior  is 
not  possible.  Hence,  we  conclude  that  either  a  and  d  are  independent,  or  b  and  d  are  independent. 
Hence,  d’"  can  be  commuted  with  either  a’'  or  6".  Since  cP  is  an  arbitrary  event  between  a”  and 
6",  all  such  events  can  be  commuted  in  this  way,  and  so  a’^,6"  can  be  made  strictly  adjacent,  i.e., 
with  no  other  events  at  all  in  between  them.  Since  a",  P  is  an  arbitrary  pair  that  is  adjacent  with 
respect  to  P",  it  follows  that  all  such  pairs  can  be  brought  together.  Hence  we  can  produce  an 
equivalent  computation  in  which  the  events  of  P"  form  a  single  contiguous  subsequence.  Repeating 
this  operation  for  all  P"'  (i.e.,  for  all  values  of  n)  gives  us  the  computation  tt'.  CD 

Theorem  6  Let  Q  =  P[c/c;P].  If  P  is  deadlock- free,  then  so  is  Q. 

Proof:  Let  Q'  be  an  arbitrary  derivative  of  Q,  i.e.,  Q  Q'  for  some  computation  tt.  By  lemma  3, 
there  exists  a  layered  computation  ir'  of  Q  such  that  tt'  =  ir.  Hence,  by  proposition  2,  Q  >Q  . 
There  are  two  cases. 

Case  1:  no  in  Q'  is  at  Ei  or  in  Pj.  By  a  projection  argument,  we  can  show  that  the  computation 
p  =  tt'  <  c;  P/c  >  is  a  computation  of  P.  Let  P  P'.  Since  P  is  deadlock  free,  P'  A  for  some 
action  a.  We  can  also  show  that  P'  and  Q'  have  the  same  continuations.  Hence  Q'  . 

(end  of  case  1) 

Case  2:  Some  Q'i  in  Q'  is  at  P,  or  in  Pj. 

Hence  tt'  can  be  written  as  pep'  (where  p,p/  could  be  empty).  Also,  Q'  =  {\\  i  G  ip  :  Fi;Q'i)  1| 
(II  i  G  Ip'  :  Q'i)  where  •tp  contains  all  the  processes  at  Ei  or  in  Ei  and  ip'  contains  the  remaining 
processes.  By  alphabet{E)  r\alphabet{P)  =  0  and  the  presence  of  action  c,  which  synchronizes  entry 
to  Ei,  we  can  show  that  F  =  {\\  i  G  ip  :  Pi;0)  is  a  derivative  of  P.  Hence,  by  the  single-iteration 
property  of  P,  P  A  for  some  action  a.  Hence  Q'  A . 

(end  of  case  2) 

Since  Q'  A  in  both  cases,  and  Q'  is  an  arbitrary  derivative  of  Q,  we  conclude  that  Q  is  deadlock- 
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free. 


□ 


Theorem  7  Let  Q  =  P[c/E;c].  If  P  is  deadlock-free,  then  so  is  Q, 

Proof:  Let  Q'  be  an  arbitrary  derivative  of  Q,  i.e.,  Q^Q'  for  some  computation  tt.  By  IpTnma  3, 

there  exists  a  layered  computation  tt'  of  Q  such  that  tt'  =  ir.  Hence,  by  proposition  2,  Q  Q'. 
There  are  two  cases. 

Case  1:  no  Q'^  in  Q'  is  at  Ei  or  in  Ei.  By  a  projection  argument,  we  can  show  that  the  computation 
p  =  ir'  <  c;E/c>  is  a  computation  of  P.  Let  P  -A  P'.  Since  P  is  deadlock  free,  P'  4-  for  some 
action  a.  We  can  also  show  that  P'  and  Q'  have  the  same  continuations.  Hence  Q'  A . 

(end  of  case  1) 

Case  2:  Some  Q'^  in  Q'  is  at  Ei  or  in  E^. 

Hence  ir'  can  be  written  as  pep'  (where  p,p'  could  be  empty).  Also,  Q'  =  {\\  i  e  ip  :  Ft;  Q'^)  ||  (|| 
i  e  Ip' :  Q'i)  where  ip  contains  all  the  processes  at  Ei  or  in  Ei  and  ip'  contains  the  remaining  processes. 
By  the  conspiracy-resistance,  and  coordinated-entry  conditions,  and  the  exit-synchronization  pro¬ 
vided  by  action  c,  we  are  guaranteed  that  eventually,  every  participant  of  c  will  enter  E.  Hence, 
any  computation  ir"  of  Q'  eventually  reaches  a  derivative  Q"  of  the  form  Q'  =  (||  i  g  PAdQ)  : 

FuQ'l)  II  {\\i&^-PA,{Q):Q'!). 

By  alphabet{E)  n  alphabet{P)  =  0,  we  can  show  that  F  =  (||  i  e  PAq{c)  :  F;  0)  is  a  derivative 
of  E.  Hence,  by  the  single-iteration  property  of  F,  F  A  for  some  action  a.  Hence  Q"  A . 

(end  of  case  2) 

Since  Q'  is  an  arbitrary  derivative  of  Q,  and  Q' A  in  the  first  case,  and  Q'  is  guaranteed  to 
always  generate  a  derivative  of  the  form  of  Q"  in  the  second  case,  we  conclude  that  it  is  impossible 
for  a  derivative  of  Q  that  has  no  enabled  actions  to  be  generated.  Hence  q  is  deadlock-free.  □ 

Theorem  8  Let  Q  =  F[c/F].  If  P  is  deadlock-free,  then  so  is  Q. 

Proof:  Let  Q'  be  an  arbitrary  derivative  of  Q,  i.e.,  Q  -A  Q'  for  some  computation  ir.  By  lemma  4, 

there  exists  a  layered  computation  tt'  of  Q  such  that  tt'  =  ir.  Hence,  by  proposition  2,  Q  Q'. 
There  are  two  cases. 

Case  1:  no  Q'l  in  Q'  is  at  Ei  or  in  Ei.  By  a  projection  argument,  we  can  show  that  the  computation 
p  =  ir'  <  c-,E/c>  is  a  computation  of  P.  Let  P  -A  P'.  Since  P  is  deadlock  free,  P'  A  for  some 
action  a.  We  can  also  show  that  P'  and  Q'  have  the  same  continuations.  Hence  Q'  A . 

(end  of  case  1) 

Case  2:  Some  Q'^  in  Q'  is  at  Ei  or  in  Fj. 

Hence  ir'  can  be  written  as  pep'  (where  p,p'  could  be  empty).  Also,  Q'  =  {\\i€  ip  :  Fi\Q'i)  ||  (|| 
i  G  Ip' :  Q'i)  where  ip  contains  all  the  processes  at  Fj  or  in  Ei  and  ip'  contains  the  remaining  processes. 
By  the  conspiracy  resistance,  coordinated-entry,  and  no-overtaJeing  conditions,  we  are  guaranteed 
that  eventually,  every  participant  of  c  will  enter  F.  Hence,  any  computation  ir"  of  Q'  eventually 
reaches  a  derivative  Q"  of  the  form  Q'  =  (||  i  e  PAdQ)  :  Fj;  Q")  ||  (||  i  €  (^  -  PAdQ)  :  Q"). 

By  alphabet{E)  D  alphabet{P)  =  0,  we  can  show  that  F  =  (||  i  e  PAq(c)  :  Ft;0)  is  a  derivative 
of  F.  Hence,  by  the  single-iteration  property  of  F,  F  A  for  some  action  o.  Hence  Q"  A . 

(end  of  case  2) 

Since  Q'  is  an  arbitrary  derivative  of  Q,  and  Q^A  in  the  first  case,  and  Q'  is  guaranteed  to 
always  generate  a  derivative  of  the  form  of  Q"  in  the  second  case,  we  conclude  that  it  is  impossible 
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for  a  derivative  of  Q  that  has  no  enabled  actions  to  be  generated.  Hence  q  is  deadlock-free.  □ 

Theorem  9  LetQ  =  P[c/c-,  E].  If  PAp{a)  n  PAp{b)  #  0  ond  P  1=$  o  6,  then  Q  [=$  o  6. 

Proof:  Let  Q  Q'  ,  where  is  an  arbitrary  maximal  fair  computation  of  Q  with  some 

occurrence  of  a  along  it.  By  lemma  3,  there  exists  a  layered  computation  p  equivalent  to 
Hence,  by  a  projection  argument,  p  <  c;  Efc  >  is  a  fair  computation  of  P.  Since  P  1=$  o  6,  we 
conclude  that  p  <  c^Efc  >  contains  an  event  6"^  following  a".  Since  a, 6  are  not  independent,  tt' 
also  contains  6”*  following  a”  (since  a,b  cannot  be  commuted).  Since  was  chosen  arbitrarily, 

it  follows  that  Q  |=$  a'^b. 

Theorem  10  Let  Q  =  P[c/c;  E\.  If  PAe(o)  n  PAe(6)  ^  0  and  P  1=  a  6,  then  Q  ]=$  o  6. 

Proof:  Let  where  is  an  arbitrary  maximal  fair  computation  of  Q  with  some 

occurrence  of  a  along  it.  By  lemma  3,  there  exists  a  layered  computation  p  equivalent  to  7ra"7r'. 

By  fairness,  P  |=  a  6,  and  the  entry-synchronization  provided  by  c,  we  can  show  that  every 
layered  computation  satisfies  a  6.  Hence  p  [=  a  6.  Hence  p  contains  6"  following  o”.  Since 
a,  b  are  not  independent  (and  therefore  cannot  be  commuted),  tt'  must  contain  6".  Since  was 

chosen  arbitrarily,  it  follows  that  Q  |=$  a  6.-  ° 

Theorem  11  Let  Q  =  P[c/c; P].  IfP\=^a^c,  and  E  )=  Ob,  then  Q  t=$  a 6. 

Proof:  Let  Q  ,  where  tt  is  an  arbitrary  maximal  fair  computation  of  Q.  By  lemma  3,  there 

exists  a  layered  computation  p  equivalent  to  By  a  projection  argument,  p  <  C]E/c  >  is  a 

fair  computation  of  P.  Since  P  1=$  a  6,  we  conclude  that  p  <  c;  P/c  >)=$  a c.  Hence,  by 
a  projection  argument,  we  conclude  that  every  occurrence  of  a  along  tt  is  followed  eventually  by 
entry  into  P.  By  fairness  and  P  ^  06,  this  in  turn  leads  to  execution  of  6,  Hence  tt  ^  a  6.  Since 

TT  was  chosen  arbitrarily,  it  follows  that  Q  |=*  a  6.  ° 

Theorem  12  Let  Q  =  P[c/P;  c].  If  PAp{a)  n PAp{b)  0  and  P  a  6,  then  Q  1=$  a  6. 

Proof:  Let  Q  Q'  ^ ,  where  vra^Tr'  is  an  arbitrary  maximal  fair  computation  of  Q  with  some 
occurrence  of  a  along  it.  By  lemma  4,  there  exists  a  layered  computation  p  equivalent  to 
Hence,  by  a  projection  argument,  p  <  P;  c/c  >  is  a  fair  computation  of  P.  Since  P  |=$  a  6,  we 
conclude  that  p  <  P;c/c  >  contains  an  event  6”*  following  a".  Since  a,  6  are  not  independent,  tt 
also  contains  6”*  following  a"  (since  a,  6  cannot  be  commuted).  Since  was  chosen  arbitrarily, 

it  follows  that  Q  a'^b. 

Theorem  13  Let  Q  =  P[c/P;  c].  If  PAsia)  n  PAE{b)  ^  (b  and  E  \=  a b,  then  Q\=^a^b. 

Proof:  Let  Q^Q'^,  where  vra^Tr'  is  an  arbitrary  maximal  fair  computation  of  Q  with  some 
occurrence  of  a  along  it.  By  lemma  4,  there  exists  a  layered  computation  p  equivalent  to 

By  fairness,  P  )=  a  6,  and  the  entry-synchronization  provided  by  the  conspiracy-resistance 
and  coordinated-entry  conditions,  we  can  show  that  every  layered  computation  satisfies  a  ^  b. 
Hence  p  )=  6.  Hence  p  contains  6”  following  a".  Since  a,  6  are  not  independent  (and  therefore 

cannot  be  commuted),  tt'  must  contain  6".  Since  7ra"7r'  was  chosen  arbitrarily,  it  follows  that 
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□ 


Q  [=$  b. 

Theorem  14  Let  Q  —  P[c/£7;c].  If  P  |=4>  a  ^  c,  and  E  \=  06,  then  Q  |=$  b. 

Proof:  Let  where  tt  is  an  arbitrary  maximal  fair  computation  of  Q.  ,By  lemma  4,  there 

exists  a  layered  computation  p  equivalent  to  'KaP’id .  By  a  projection  argument,  p  <  c\Elc  >  is  a 
fair  computation  of  P.  Since  P  |=$  a  ^  b^  we  conclude  that  p  <  c]E/c  >|=$  a c.  Hence,  by 
a  projection  argument,  and  the  entry-synchronization  provided  by  the  conspiracy-resistance  and 
coordinated-entry  conditions,  we  conclude  that  every  occurrence  of  a  along  tt  is  followed  eventually 
by  entry  into  E.  By  fairness  and  E  |=  06,  this  in  turn  leads  to  execution  of  6,  Hence  tt  \=  a  ^  b. 
Since  tt  was  chosen  arbitrarily,  it  follows  that  Q  b.  □ 

Theorem  15  Let  Q  =  P[c/E].  If  PAp{a)  n  PAp{b)  ^  0  ond  P  [=$  a  ^  6,  then  Q  |=$  a  6. 

Proof:  Since  the  proof  of  theorem  12  above  did  not  use  the  fact  that  action  c  provides  exit- 

synchronization  to  P,  then  the  same  proof  carries  over  here.  □ 

Theorem  16  Let  Q  =  P[c/P].  If  PAe{o)  fl  PApib)  ’=/=■  0  and  E  b,  then  Q  |=$  a ^  6. 

Proof:  Since  the  proof  of  theorem  13  above  did  not  use  the  fact  that  action  c  provides  exit- 
synchronization  to  P,  then  the  same  proof  carries  over  here.  □ 

Theorem  17  Let  Q  =  P[c/P].  If  P  [=$  c,  and  E  |=  06,  then  Q  [=$  a  6. 

Proof:  Since  the  proof  of  theorem  14  above  did  not  use  the  fact  that  action  c  provides  exit- 

synchronization  to  P,  then  the  same  proof  carries  over  here.  □ 
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